Date: Wed, 20 Nov 1996 19:35:38 GMT
Server: Apache/1.0.2
Content-type: text/html
Content-length: 2260
Last-modified: Sat, 04 May 1996 04:01:32 GMT

<!-- Changed by: Jonathan P. Wood,  3-May-1996 -->
<html>
<head>
<title>USTAT Intrusion Detection System</title>
</head>
<center>
<h1>USTAT</h1>
<p>
<h3>State Transition Analysis Tool for UNIX</h3>
</center>
<br><hr><br>
<p>
USTAT is a real-time rule-based intrusion detection system for SunOS4.1.x and
Solaris 2.x.
<p>
<h3><i>Background and History</i></h3>
<h4>
Phillip Porras introduced the concept of STAT as his master's thesis; STAT 
is an expert system which detects intrusions using a state transition table.
You can retrieve an <!WA0><a href="http://www.cs.ucsb.edu/TRs/TRCS93-25.html">abstract</a> of this thesis, or the <!WA1><a href="http://www.cs.ucsb.edu/TRs/techreports/TRCS93-25.ps">full text (2.7M, postscript)</a>.
<p>
Koral Ilgun implemented STAT as a real-time intrusion detection system for
UNIX; hence U_STAT.  Click here for an <!WA2><a href="http://www.cs.ucsb.edu/TRs/TRCS93-26.html">abstract</a> of his master's  thesis, and here for the <!WA3><a href="http://www.cs.ucsb.edu/TRs/techreports/TRCS93-26.ps">full text (1.2M, postscript)</a>.  This implementation runs under SunOS 4 and makes use of the SunOS BSM
Audit Trail.
<p>
This project has been and is under the supervision of <!WA4><a href="http://www.cs.ucsb.edu/~kemm">Dr. Richard Kemmerer</a>.
<p>
<h3><i>Current Work</i></h3>
<h4>
Jonathan Wood has ported USTAT to Solaris 2.x, and is currently investigating
approaches to a distributed intrusion detection system using USTAT.  This 
system will collect data from multiple hosts on a network and process the
data as a unified audit trail.  Other research directions include 
incorporating USTAT with other IDS which complement its capabilities (i.e.
anomaly detection systems), and expanding its auditing capabilities to take
advantage of the extra information gleaned from gathering audit data from
networked machines.
<p>
<br><hr><br>
For more information, contact <!WA5><a href="mailto:jonwood@cs.ucsb.edu">jonwood@cs.ucsb.edu</a> or <!WA6><a href="mailto:kemm@cs.ucsb.edu">kemm@cs.ucsb.edu</a>.

<p>
<center>
<hr>
[ <!WA7><a href="http://www.cs.ucsb.edu/hotlist.html">Hotlist</a> ]
[ <!WA8><a href="http://www.cs.ucsb.edu/search.html">Search</a> ]
[ <!WA9><a href="http://www.cs.ucsb.edu/~jonwood//">Back to CS</a> ]
<hr>

<hr size=5>
<p>
<i>Last modified: Tue Nov  7 14:08:12 PST 1995 by <!WA10><a href="http://www.cs.ucsb.edu/~jonwood"> Jonathan Wood.</a></i>

